11 ways to secure your Magento store against hackers

Published

August 28, 2015

/

Updated

/

From

Graham Lipsman

A few days ago on Reddit someone asked a great question: “How can you ensure the safety of your eCommerce site?” I was pleased to have an opportunity to share what we’ve learned at BranchLabs. Working with many different Magento installs over the years has given us insight into the most cost-effective methods of securing installs.

It was also a breath of fresh air to hear someone proactively searching for ways to secure themselves. Too often, security investments are made only after a compromise is detected. Only after a company is forced to send out one of those terrible, “Your credit card information may have been stolen” emails.

The bare minimum recommendation I’d make is to invest in a monthly sweep of your codebase. Search the common places hack code lives. By doing this monthly, you’re at least limiting your window of exposure for most hacks. Ideally though, each month you’re shoring up your defenses too. Read on for recommendations to that effect.

How can you ensure the safety of your Magento store?

This question is not asked often enough. If you’re using an open source platform for your eCommerce endeavors, you must make a conscious investment in its security. Far too many companies invest nothing in security until it is too late. It doesn’t need to be a huge amount—a small investment with someone competent is much better than nothing—but it does need to be a recurring, budgeted for investment.

There are two security goals worth investing in—preventing future attacks and investigating if you’re already compromised (aka staunching the bleeding).

Investigating if you’ve already been compromised

Check the web root folder for suspicious files

Attackers often drop web shells or other exploit files in the web-root or on folders just above. Poke around for anything suspicious. If you detect something, figure out what it was used for—oftentimes the first file you find is just the tip of the iceberg. Once you’re confident you understand how it was used, purge it.

Audit Magento’s core files

Good Magento developers have no need to modify core framework files to change functionality or add features. Ideally, your install should have no core modifications. Sometimes though, hackers modify core files (like app/Mage.php) to steal customer information. Therefore, identify and investigate each core modification individually. We developed a Magento audit tool to help speed up this process—it instantly finds core files that have been modified. This is helpful in identifying potential compromises as well as shoddily implemented customizations.

Check the CMS’s frontend script injection points

Magento has a few places where it allows you to insert javascript on every page for easy implementation of tracking scripts and the like. This can also be used to inject hostile JS that, for instance, harvests customer CC information from the checkout page. One example of this can be found in System > Configuration > Design > HTML Head > Miscellaneous Scripts.

Audit your admin users

If an attacker gains access to your installation they’re likely to leave backdoors for access all over the place. Admin users are a decent place to hide. Check for unrecognized usernames and remove them. Additionally, double check known usernames to ensure their associated email address is correct. I’ve seen attackers change email addresses for valid admins and trigger reset password emails to regain control of patched sites.

Check your crontab

A cron is a task that runs on an ongoing, scheduled basis on your server. Crons can be used for good—cleaning/rotating log files, updating or clearing caches, batching email sends—but they can also be used by attackers. Attackers might use a cron to post-harvested information to their server, generate reports of activity on your site, or ensure their hack remains in place, even after you’ve removed it.

Preventing future attacks

Apply all officially released security patches ASAP

Audit the extensions you’re running

Remove those you no longer use. The more code you run, the more places a potential vulnerability can live.

Install file integrity monitoring software (FIM)

A FIM basically takes a snapshot of your current codebase and, on an ongoing basis checks it against what you’re running in production. It will send a nightly report telling you if any files changed, and if so, which ones. If you weren’t expecting any edits, that’s a sign to investigate. I’ve had success with Tripwire’s FIM in the past.

Ensure your host is logging network traffic at high fidelity

If you are compromised, you want to maximize the chance of being able to figure out where an attacker originally gained access so you can patch the vulnerability. You’ll need to work with your host to get a good solution in place.

Change the default admin login URL

Magento’s default admin URL is /admin. Change it to something unique, like /brand-superusers. This will prevent most brute force style attacks. Preventing brute force attacks saves server resources, speeding up your site for legitimate customers. Based on access logs for sites that use the default Magento admin URL, most are hammered with these attacks constantly.We developed an extension that allows you to change the required password length for admins. Use it as an additional line of defense against brute force attacks.

Ensure your host has prevented use of dangerous PHP functions

These functions are exec, system, phpinfo, proc_open, show_source, shell_exec, passthru, and popen. These either leak sensitive information or provide direct paths to privilege escalation. Someone with write-access to your server (e.g. through an upload form that’s improperly secured) can exploit these very easily.

Bare Minimum Security vs. the Ideal

It is not fun to inform your valued customers that their personal information may have been stolen on your watch. Bare minimum, you should have a professional dedicate a few hours each month to do a security sweep. That way, you’re at least limiting your window of exposure.

In an ideal situation, you’re shoring up your defenses each month. Adding detection methods. Working with your hosting provider to log and analyze traffic.

Security is a serious concern. Unfortunately, the majority companies don’t make an investment until it’s too late.